Many clients do not have one to one or one to many assignment of roles to role owners rather 
they have some specific logic to define role owners. In our setup, GRC approvers are defined 
based on functional area, business process, connector etc. For easy maintenance of GRC 
approvers role-based agent rule was created. 


Resolution: Create a BRF+ Agent rule that will fetch approvers, based on decision table criteria 


and dummy role assignment. 


BRF+ Design: 

Below Steps will be followed to achieve required results: 

Step 1: Create Structure “AGR_USERS” 

Step 2: Create a decision table to provide “dummy role name” based on suitable selection. 

Step 3: Create a DB lookup on table “AGR_USERS” to fetch users assigned to appropriate dummy 
roles. 

Step 4: Create a “Ruleset” to process DB lookup and return approvers. 


BRF+ Configuration: 

You have to generate the BRF+ Rule via Transaction SPRO in GRC system. Follow the below steps 
in your GRC system. 

Run the transaction SPRO, go to IMG => Governance, Risk and Compliance =>Access Control 
=>Workflow for Access Control => Define Workflow related MSMP rules. 

Or 

Directly execute TCode GRFNMW_DEV_RULES 


Fill generation criteria (Process ID, Rule type, etc.) 

Specify Generation options 

Generate rule shell (Execute button) 

After successful rule generation, goto BRF+ to check newly created BRFPlus Application 


Rule info 
SAP_GRAC_ACCESS_ REQUEST 
ZBRF_ROLEOWNER 


ZBRF_ROLEOWNER 


BRFpius Flat Rule (Lineitem by Lineltem) 


Generation of Options 
~ Generate Rule 


¥ Gen. Result Work-area (BRF+) 


Function Signature update: 

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below. 
Since Function mode has been changed to “Event mode,” the result data object has changed 
automatically, so it has to be reset manually 

In “Signature” tab of BRF Function, change the result data object to GRFN-MW_T_AGENT_ID 


Detail 


Simulation 


Mode: Event Mode Vv 


Signature Assigned Rulesets Code Generation 


Context 


(> Add Existing Data Object) (> Add New Data Object’ |© Remove yo 


Component Name Text Type 
> == GRAC_S REQUEST_RULE_HEADER Request Header Structure 
> = GRAC_S REQUEST _RULE LINE Access Request Line Item Structure 
> == GRFN_MW_S_AGENT_ID Result - Agent Rule Structure 


Result Data Object 


Data Object: [i GRFN_MW_T_AGENT_ID v 


Create Structure: 
From context menu of BRF+ application, create a Structure and bind it to AGR_USERS. 
Save and activate this structure. 


Create Structure YA x 


v General data 
Type: Structure 
* Name: AGR_USERS 
Short Text: AGR_USERS 
Text: AGR_USERS 


Application: ZBRF_ROLEOWNER 


Y Structure 
Define Data Binding 
Binding Type: ‘Bind to Structure Type (DDIC) Vi 


DDIC Type Name: AGR_USERS Where-Used List 


Create Create And Navigate To Object Cancel 


Create a Decision Table: 
From context menu of BRF+ application, create an Expression of type “Decision Table” 


Create Decision Table A X 


Type: Decision Table 
* Name: ZROLEOWNER 
Short Text: | Role Owner 
Text {Role Owner nnne 


Application: ZBRF_ROLEOWNER 


Is Reusable: v 


Create Create And Navigate To Object Cancel 


Add “Condition” as well as “Result” column based on requirement 
Note that AGR_NAME in result column can only be selected if structure AGR_USERS has already 
been created. 


List of Columns 


Condition Columns 


Column Name Text Mandatory Input Column Accessibility 

we FUNCAREA FUNCAREA Full Access (Changes Allowe 

we» BPROC BPROC Full Access (Changes Allowe 

4 DEPARTMENT DEPARTMENT Full Access (Changes Allowe 
e) sè CONNECTOR CONNECTOR Full Access (Changes Allowe 


Result Columns 


Column Name Text Action Column Mandatory Input Column Accessibility 


e) se AGR_NAME AGR_NAME v Full Access (Changes / 


Create dummy roles in GRC backend system and assign to approvers 
Populate the decision table with business data as required 


Table Contents 


Find Next Previous Table Settings 
FUNCAREA BPROC DEPARTMENT CONNEC... AGR_NAME 
=31,01 (031.01... =FSCM (FSCM) [os] 
=31.01 (031.01... =LO-AB (LO-AB) [°031*] 
=31.01 (031.01... =SSC (SSC/Shared Service Center) ["031"] 
=31.02 (031,02... =Fi (Finance+Controlling) [os1*} 
=31.02 (031.02. =FSCM (FSCM) [°o31"} 


Create DB Lookup: From context menu of BRF+ application, create an Expression of 
type“DBLookup” 


Create Database Lookup 


Type: Database Lookup 
* Name: GET_APPROVER_LOOKUP 
Short Text: GET_APPROVER_LOOKUP 
Text: iGET _APPROVER _ LOOKUP} 
Application: ZBRF_ROLEOWNER 


Is Reusable: 


Create And Navigate To Object Cancel 


Add below details to the DB Lookup, here we are applying DB lookup based on result received 
from ZROLEOWNER on table AGR_USERS and inserting user ID into GRFN_MW_T_AGENT_ID 
Save and generate the DB Lookup 


Create Database Lookup 


Type: Database Lookup 
*Name: GET_APPROVER_LOOKUP 
Short Text: GET_APPROVER_LOOKUP 


Text: 


Application: 


Is Reusable: 


Create And Navigate To Object Cancel 


Create Ruleset: 


Click “Create and Navigate To Object” 
Create Rule as below: 


Create Ruleset A X 


Type: Ruleset 
*Name: GET_APPROVER 
Short Text: |GET_APPROVER 
Text: iGET _APPROVER| ' 


Application: ZBRF_ROLEOWNER co 


Create Create And Navigate To Object Cancel 


Create Rule Z 


| Disable Rule WAI from €J 00:00:00 until £ 00:00:00 


Description: 


if Assign Condition... w æ% 
Then 
(1) Change v ffi GRFN_MW_T_AGENT_ID v after processing YY GET_APPROVER_LOOKUP v Options v 4% 


Else Add v 


Detail oe 


Show Ruteset Header Context Overview 


Rules ®© _ 


Insert Rule v| | Insert Exit Condition w 


@ Disable Rule (1) Rule: No description is available - Rule has not been defined Optionsy Z + 
Valid From / To E3 00:00:00 I E3 00:00:00 
Description: 


(1) Change M GRFN_MW_T_AGENT_ID after processing © GET_APPROVER_LOOKUP 


Assign the ruleset to the function 
Detail = 


Hide Ruteset Header Context Overview 


Enabled: |v Number of Rules 1 
Function: la ZBRF_ROLEOWNER v Nurnber of Variables: ° 
Precondition: PIREA v Priority 00 
Variables Expressions Which Initialize the Variables 
(1) <Notassigned> w (1) <Not assigned> v 
Rules © _ 


Insert Rule w. Insert Exit Condition w 


Go to the function and under assigned ruleset you should be able to fine “GET_APPROVER” 
ruleset. 


Detail 


Simulation Traces Generate ~ Create Code Template Advanced Checks v 
Mode Evem Mode 
Signature Assigned Rulesets Code Generation 
Ruleset 
Name Text Priority Enabled Precondition Status Executable 
C] GET_APPROVER GET_APPROVER [undefined] Yes a F 
Simulate BRF+ rule: 
Provide mandatory context values like Business Process, Functional Area, Connector. 
v Result 
T GRFN_MW_T_AGENT_ID 
A LINE_ITEM_KEY A USER_IO A NOTIFY_EXT_WHO_TYPE é NOTIFY_EXT_WHO 


SAKAUSAR 


The function should return users IDs of the role owner as per the settings in decision table. 


Conclusion: This custom agent rule will allow us to skip standard role owner maintenance 


process in GRC and simply assign approvers by assigning them dummy roles created in GRC 


system. Dummy roles can be created as per our requirement for example based on 


system\client, departments, business process etc. 


D 


